Die vorliegende Übersetzung wurde maschinell erstellt. Im Falle eines Konflikts oder eines Widerspruchs zwischen dieser übersetzten Fassung und der englischen Fassung (einschließlich infolge von Verzögerungen bei der Übersetzung) ist die englische Fassung maßgeblich. # Amazon Security Lake Amazon Security Lake zentralisiert automatisch Sicherheitsdaten aus AWS Umgebungen, SaaS-Anbietern (Software as a Service), lokalen Standorten und Cloud-Quellen in einem speziell entwickelten Data Lake, der in Ihrem gespeichert ist. AWS-Konto Mit Security Lake erhalten Sie ein umfassenderes Verständnis Ihrer Sicherheitsdaten in Ihrem gesamten Unternehmen. Security Lake hat das Open Cybersecurity Schema Framework (OCSF) eingeführt, ein Open-Source-Schema für Sicherheitsereignisse. Mit OCSF-Unterstützung normalisiert und kombiniert der Service Sicherheitsdaten aus AWS und einer Vielzahl von Sicherheitsdatenquellen für Unternehmen. ## AppFabric Überlegungen zur Erfassung von Auditprotokollen Sie können Ihre SaaS-Auditprotokolle in Amazon Security Lake in Ihrem abrufen, AWS-Konto indem Sie eine benutzerdefinierte Quelle zu Security Lake hinzufügen. In den folgenden Abschnitten werden das AppFabric Ausgabeschema, das Ausgabeformat und die Ausgabeziele beschrieben, die mit Security Lake verwendet werden sollen. ### Schema und Format Security Lake unterstützt das folgende AppFabric Ausgabeschema und -format: + OCSF - JSON + AppFabric normalisiert die Daten mithilfe des Open Cybersecurity Schema Framework (OCSF) und gibt die Daten im JSON-Format aus. ### Speicherorte für die Ausgabe Security Lake unterstützt AppFabric als benutzerdefinierte Quelle die Verwendung eines Amazon Data Firehose-Lieferdatenstroms als Speicherort für die AppFabric Aufnahme und Ausgabe. Gehen Sie wie folgt vor, um die AWS Glue Tabelle und den Firehose-Lieferstream zu konfigurieren und eine benutzerdefinierte Quelle in Security Lake einzurichten. ### Erstellen Sie eine Tabelle AWS Glue 1. Navigieren Sie zu Amazon Simple Storage Service (Amazon S3) und erstellen Sie einen Bucket mit einem Namen Ihrer Wahl. 1. Navigieren Sie zur AWS Glue Konsole. 1. Gehen Sie für **Datenkatalog** zum Abschnitt **Tabellen** und wählen Sie **Tabelle hinzufügen** aus. 1. Geben Sie einen Namen Ihrer Wahl für diese Tabelle ein. 1. Wählen Sie den Amazon S3 S3-Bucket aus, den Sie in Schritt 1 erstellt haben. 1. Wählen Sie als Datenformat **JSON** und dann **Weiter** aus. 1. **Wählen Sie auf der Seite Schema auswählen oder definieren** die Option **Schema als JSON bearbeiten** aus. 1. Geben Sie das folgende Schema ein und schließen Sie den AWS Glue Tabellenerstellungsprozess ab. ``` [ { "Name": "message", "Type": "string" }, { "Name": "process", "Type": "struct,group:struct,tid:int,cmd_line:string,container:struct,hash:struct>,created_time:bigint,parent_process:struct,type:string,version:string,path:string,uid:string,type_id:int,mime_type:string,parent_folder:string,data_classification:struct,hashes:array>,is_system:boolean,modified_time:bigint,xattributes:string>,user:struct,type_id:int,uid_alt:string>,group:struct>,tid:int,uid:string,cmd_line:string,container:struct,hash:struct,network_driver:string,pod_uuid:string>,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>>" }, { "Name": "status", "Type": "string" }, { "Name": "time", "Type": "bigint" }, { "Name": "device", "Type": "struct,type:string,ip:string,hostname:string,mac:string,image:struct,type_id:int,container:struct,hash:struct>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,network_interfaces:array>,region:string,risk_score:int,modified_time_dt:string>" }, { "Name": "metadata", "Type": "struct,url_string:string,vendor_name:string>,data_classification:struct,event_code:string,log_name:string,log_provider:string,original_time:string,tenant_uid:string,processed_time_dt:string>" }, { "Name": "severity", "Type": "string" }, { "Name": "duration", "Type": "int" }, { "Name": "type_name", "Type": "string" }, { "Name": "activity_id", "Type": "int" }, { "Name": "type_uid", "Type": "int" }, { "Name": "observables", "Type": "array>" }, { "Name": "category_name", "Type": "string" }, { "Name": "class_uid", "Type": "int" }, { "Name": "category_uid", "Type": "int" }, { "Name": "class_name", "Type": "string" }, { "Name": "timezone_offset", "Type": "int" }, { "Name": "end_time", "Type": "bigint" }, { "Name": "activity_name", "Type": "string" }, { "Name": "cloud", "Type": "struct,project_uid:string,provider:string,region:string>" }, { "Name": "query_info", "Type": "struct" }, { "Name": "query_result", "Type": "string" }, { "Name": "query_result_id", "Type": "int" }, { "Name": "severity_id", "Type": "int" }, { "Name": "status_code", "Type": "string" }, { "Name": "status_detail", "Type": "string" }, { "Name": "status_id", "Type": "int" }, { "Name": "network_interfaces", "Type": "array>" }, { "Name": "file", "Type": "struct>,type_id:int,email_addr:string>,creator:struct,parent_folder:string,data_classification:struct,hashes:array>,security_descriptor:string,accessed_time_dt:string,modified_time_dt:string>" }, { "Name": "actor", "Type": "struct,is_system:boolean,xattributes:string,modified_time_dt:string>,user:struct,group:struct,loaded_modules:array,cmd_line:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct>,hashes:array>>,user:struct,type_id:int,risk_level:string,uid_alt:string>,group:struct,uid:string,cmd_line:string,container:struct,hash:struct,network_driver:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct,type_id:int,created_time:bigint,data_classification:struct,hashes:array>,xattributes:string,created_time_dt:string>,group:struct,uid:string,loaded_modules:array,cmd_line:string,container:struct,hash:struct>,sandbox:string,egid:int,created_time_dt:string>,created_time_dt:string>,terminated_time:bigint,auid:int>,user:struct,app_name:string,idp:struct,invoked_by:string>" }, { "Name": "dst_endpoint", "Type": "struct,port:int,type:string,ip:string,location:struct,continent:string>,hostname:string,uid:string,type_id:int,autonomous_system:struct,container:struct,hash:struct,orchestrator:string>,hw_info:struct,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>" }, { "Name": "src_endpoint", "Type": "struct,groups:array>,type_id:int,credential_uid:string,email_addr:string,ldap_person:struct>,port:int,type:string,ip:string,location:struct,continent:string>,hostname:string,uid:string,type_id:int,container:struct,hash:struct,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array,namespace_pid:int,svc_name:string,vpc_uid:string>" }, { "Name": "user", "Type": "struct>,type_id:int>" }, { "Name": "resource", "Type": "struct>>>,cloud_partition:string,data_classification:struct>" }, { "Name": "privileges", "Type": "array" }, { "Name": "action", "Type": "string" }, { "Name": "action_id", "Type": "int" }, { "Name": "protocol_ver", "Type": "string" }, { "Name": "proxy", "Type": "struct>,autonomous_system:struct,container:struct>,instance_uid:string,interface_name:string,interface_uid:string,intermediate_ips:array,namespace_pid:int,proxy_endpoint:struct>,hash:struct,network_driver:string,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,proxy_endpoint:struct,container:struct,hash:struct>,intermediate_ips:array,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,zone:string>,svc_name:string>" }, { "Name": "client_hassh", "Type": "struct>" }, { "Name": "authorizations", "Type": "array" }, { "Name": "proxy_tls", "Type": "struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,cipher:string,sni:string,certificate_chain:array,client_ciphers:array,ja3_hash:struct,ja3s_hash:struct>" }, { "Name": "load_balancer", "Type": "struct,credential_uid:string,ldap_person:struct,type_id:int>,given_name:string,ldap_dn:string,leave_time:bigint,modified_time:bigint,surname:string>>,port:int,type:string,os:struct,ip:string,hostname:string,uid:string,type_id:int,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string>,endpoint_connections:array,created_time:bigint,hire_time:bigint,ldap_dn:string,surname:string,modified_time_dt:string,deleted_time_dt:string>,groups:array>,full_name:string,email_addr:string,risk_level:string,risk_level_id:int>,port:int,type:string,ip:string,hostname:string,type_id:int,container:struct,hash:struct,network_driver:string>,instance_uid:string,interface_name:string,namespace_pid:int,proxy_endpoint:struct>,type_id:int,full_name:string,email_addr:string,risk_score:int,uid_alt:string>,port:int,type:string,hostname:string,uid:string,type_id:int,autonomous_system:struct,container:struct,hash:struct,orchestrator:string,pod_uuid:string>,hw_info:struct>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string>,subnet_uid:string,svc_name:string,uid:string,interface_uid:string,intermediate_ips:array>>>,metrics:array>>" }, { "Name": "disposition_id", "Type": "int" }, { "Name": "disposition", "Type": "string" }, { "Name": "proxy_traffic", "Type": "struct" }, { "Name": "auth_type_id", "Type": "int" }, { "Name": "proxy_http_response", "Type": "struct" }, { "Name": "server_hassh", "Type": "struct>" }, { "Name": "auth_type", "Type": "string" }, { "Name": "firewall_rule", "Type": "struct" }, { "Name": "proxy_connection_info", "Type": "struct" }, { "Name": "connection_info", "Type": "struct" }, { "Name": "api", "Type": "struct,response:struct,operation:string>" }, { "Name": "attacks", "Type": "array>,technique:struct>>" }, { "Name": "raw_data", "Type": "string" }, { "Name": "email_uid", "Type": "string" }, { "Name": "malware", "Type": "array,cves:array,created_time:bigint,cvss:array>,overall_score:double,depth:string>>,modified_time_dt:string,created_time_dt:string,type:string>>,provider:string,classifications:array>>" }, { "Name": "start_time_dt", "Type": "string" }, { "Name": "direction", "Type": "string" }, { "Name": "smtp_hello", "Type": "string" }, { "Name": "unmapped", "Type": "string" }, { "Name": "direction_id", "Type": "int" }, { "Name": "email_auth", "Type": "struct" }, { "Name": "email", "Type": "struct,data_classification:struct,delivered_to:string,message_uid:string,reply_to:string,smtp_from:string>" }, { "Name": "impact_id", "Type": "int" }, { "Name": "resources", "Type": "array>,version:string,data_classification:struct,data:string,labels:array,region:string>>" }, { "Name": "finding_info", "Type": "struct>,technique:struct>>,analytic:struct,last_seen_time:bigint,first_seen_time_dt:string>" }, { "Name": "evidences", "Type": "array,hashes:array>,security_descriptor:string,owner:struct>,type_id:int,account:struct,credential_uid:string,uid_alt:string>,desc:string,accessor:struct,email_addr:string>,creator:struct,type_id:int,full_name:string>,modified_time:bigint,modified_time_dt:string>,user:struct,group:struct,uid:string,loaded_modules:array,cmd_line:string,container:struct>,hash:struct>,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct>,product:struct,vendor_name:string>,type_id:int,company_name:string,mime_type:string,parent_folder:string,data_classification:struct,hashes:array>,modified_time_dt:string,created_time_dt:string,owner:struct,groups:array>,type_id:int,credential_uid:string,email_addr:string,risk_level:string,risk_level_id:int>,accessed_time:bigint,confidentiality:string,confidentiality_id:int,xattributes:string>,user:struct,org:struct,risk_score:int>,group:struct,name:string,type:string,desc:string>,uid:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct,credential_uid:string,domain:string,risk_level:string>,group:struct,uid:string,cmd_line:string,container:struct,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type_id:int,data_classification:struct,hashes:array>,owner:struct>,path:string,parent_folder:string,is_system:boolean,security_descriptor:string,accessed_time_dt:string>,user:struct,type:string,domain:string,uid:string,groups:array>,type_id:int,account:struct,credential_uid:string,risk_score:int>,uid:string,cmd_line:string,container:struct,hash:struct>,created_time:bigint,integrity:string,lineage:array,namespace_pid:int,parent_process:struct,hashes:array>,xattributes:string,created_time_dt:string,signature:struct>,created_time:bigint,serial_number:string,created_time_dt:string>,algorithm:string,algorithm_id:int>,accessor:struct,company_name:string,mime_type:string,accessed_time:bigint,modified_time_dt:string>,user:struct,deleted_time:bigint>,groups:array>,account:struct,risk_level:string,risk_score:int,uid_alt:string>,group:struct>,uid:string,cmd_line:string,container:struct>,hash:struct,pod_uuid:string>,created_time:bigint,namespace_pid:int,parent_process:struct>,security_descriptor:string,modified_time_dt:string>,user:struct,groups:array>,type_id:int,email_addr:string,ldap_person:struct,manager:struct,groups:array>>,type_id:int,full_name:string,risk_level:string,risk_level_id:int>,last_login_time_dt:string>,uid_alt:string>,group:struct>,uid:string,loaded_modules:array,cmd_line:string,container:struct,hash:struct,orchestrator:string>,created_time:bigint,integrity:string,namespace_pid:int,parent_process:struct,file:struct,type:string,path:string,desc:string,uid:string,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,data_classification:struct,uid:string>>,hashes:array>,is_system:boolean>,user:struct,group:struct>,loaded_modules:array,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct>,created_time:bigint,expiration_time:bigint,serial_number:string,expiration_time_dt:string>,algorithm:string,algorithm_id:int>,type_id:int,parent_folder:string,created_time:bigint,data_classification:struct,hashes:array>,created_time_dt:string>,user:struct,group:struct,uid:string,created_time:bigint,namespace_pid:int,auid:int,euid:int,egid:int>,terminated_time:bigint,xattributes:string,euid:int>>,auid:int,terminated_time_dt:string,created_time_dt:string,lineage:array>,egid:int,group:struct,tid:int,loaded_modules:array,sandbox:string,terminated_time:bigint,xattributes:string,euid:int>,terminated_time:bigint,xattributes:string,terminated_time_dt:string,created_time_dt:string,pid:int,session:struct,file:struct,product:struct,url_string:string,vendor_name:string>,type_id:int,mime_type:string,parent_folder:string,confidentiality:string,created_time:bigint,data_classification:struct,uid:string>>,hashes:array>,modified_time:bigint,accessed_time_dt:string,modified_time_dt:string>,loaded_modules:array,integrity:string,integrity_id:int,lineage:array,egid:int>,terminated_time:bigint,xattributes:string,pid:int,cmd_line:string,auid:int,created_time_dt:string>,xattributes:string,tid:int,integrity:string,euid:int>,file:struct,url_string:string,vendor_name:string>,type_id:int,creator:struct,credential_uid:string,uid_alt:string>,parent_folder:string,confidentiality:string,confidentiality_id:int,created_time:bigint,data_classification:struct,hashes:array>,security_descriptor:string,accessor:struct,risk_level:string,risk_level_id:int>,company_name:string,accessed_time_dt:string,created_time_dt:string>,query:struct,connection_info:struct,api:struct,uid:string>,response:struct,message:string,error_message:string>,operation:string,version:string>,actor:struct,parent_folder:string,confidentiality:string,data_classification:struct,hashes:array>,modified_time:bigint,xattributes:string,modified_time_dt:string,created_time_dt:string,version:string,desc:string,security_descriptor:string>,uid:string,cmd_line:string,container:struct,hash:struct,pod_uuid:string,runtime:string,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type:string,path:string,desc:string,modifier:struct,uid:string,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct>,hashes:array>,created_time_dt:string,signature:struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,algorithm:string,algorithm_id:int,created_time:bigint>,product:struct,cpe_name:string,data_classification:struct,vendor_name:string>,accessed_time_dt:string>,user:struct,type_id:int,account:struct,ldap_person:struct,job_title:string,office_location:string,hire_time_dt:string>,risk_score:int>,group:struct,cmd_line:string,container:struct,image:struct,network_driver:string>,created_time:bigint,integrity:string,integrity_id:int,namespace_pid:int,parent_process:struct,algorithm:string,algorithm_id:int>,product:struct,vendor_name:string>,uid:string,type_id:int,accessor:struct,parent_folder:string,data_classification:struct,hashes:array>,is_system:boolean,xattributes:string,accessed_time_dt:string,modified_time_dt:string>,user:struct,group:struct,uid:string,cmd_line:string,container:struct,image:struct,orchestrator:string>,created_time:bigint,namespace_pid:int,auid:int,terminated_time_dt:string,integrity:string,integrity_id:int,parent_process:struct,cost_center:string,deleted_time:bigint,email_addrs:array,ldap_dn:string,leave_time_dt:string>,risk_level:string,risk_score:int>,type:string,path:string,type_id:int,accessor:struct,mime_type:string,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct,hashes:array>,security_descriptor:string,modified_time_dt:string,created_time_dt:string>,user:struct,loaded_modules:array,cmd_line:string,container:struct,hash:struct,network_driver:string>,created_time:bigint,namespace_pid:int,parent_process:struct,type_id:int>,risk_level:string,risk_level_id:int>,uid:string,loaded_modules:array,cmd_line:string,container:struct>,created_time:bigint,namespace_pid:int,parent_process:struct,file:struct,type_id:int,creator:struct,mime_type:string,parent_folder:string,accessed_time:bigint,hashes:array>,accessed_time_dt:string>,group:struct,tid:int,uid:string,cmd_line:string,created_time:bigint,namespace_pid:int,parent_process:struct,modifier:struct,uid_alt:string>,type_id:int,mime_type:string,parent_folder:string,accessed_time:bigint,confidentiality:string,confidentiality_id:int,data_classification:struct,is_system:boolean,accessed_time_dt:string>,user:struct,group:struct>,uid:string,container:struct,hash:struct,network_driver:string,orchestrator:string>,created_time:bigint,namespace_pid:int,parent_process:struct>,expiration_time:bigint,serial_number:string,created_time_dt:string>,algorithm:string,algorithm_id:int>,uid:string,type_id:int,parent_folder:string,accessed_time:bigint,confidentiality:string,confidentiality_id:int,data_classification:struct,hashes:array>,accessed_time_dt:string,modified_time_dt:string,created_time_dt:string>,user:struct>,group:struct,cmd_line:string,container:struct,hash:struct>,created_time:bigint,integrity:string,integrity_id:int,lineage:array,namespace_pid:int,parent_process:struct,file:struct,hashes:array>,security_descriptor:string,xattributes:string>,user:struct,group:struct,uid:string,cmd_line:string,container:struct,hash:struct,network_driver:string>,created_time:bigint,lineage:array,namespace_pid:int,parent_process:struct,type_id:int,risk_level:string>,creator:struct,parent_folder:string,accessed_time:bigint,confidentiality:string,data_classification:struct,hashes:array>,accessed_time_dt:string>,user:struct,type_id:int,account:struct,credential_uid:string,risk_level:string>,group:struct,uid:string,cmd_line:string,container:struct,hash:struct>,created_time:bigint,parent_process:struct>,expiration_time:bigint,serial_number:string,expiration_time_dt:string>,algorithm:string,algorithm_id:int,created_time_dt:string>,uid:string,type_id:int,accessor:struct,type_id:int,credential_uid:string,ldap_person:struct,continent:string>,deleted_time:bigint,job_title:string,modified_time:bigint,modified_time_dt:string,leave_time_dt:string>,risk_score:int>,parent_folder:string,accessed_time:bigint,data_classification:struct>,hashes:array>,is_system:boolean>,user:struct,type_id:int,uid_alt:string>,group:struct>,uid:string,cmd_line:string,container:struct>,hash:struct,orchestrator:string,pod_uuid:string>,created_time:bigint,integrity:string,namespace_pid:int,created_time_dt:string>,auid:int>,created_time_dt:string>,sandbox:string>>,terminated_time:bigint,euid:int>,terminated_time:bigint,xattributes:string>>,terminated_time:bigint,egid:int>,auid:int,egid:int,uid:string>,terminated_time_dt:string,user:struct>,account:struct,email_addr:string,risk_level:string>,group:struct,integrity:string,integrity_id:int,egid:int>,user:struct,desc:string,uid:string>>,type_id:int,risk_level:string,risk_level_id:int,uid_alt:string,full_name:string,credential_uid:string,email_addr:string,ldap_person:struct>,app_uid:string,authorizations:array>>>,container:struct,hash:struct,network_driver:string>,databucket:struct,created_time_dt:string>,dst_endpoint:struct,type_id:int,full_name:string,account:struct,type_id:int>,credential_uid:string,name:string,groups:array>,risk_level:string,risk_level_id:int>,port:int,type:string,domain:string,ip:string,hostname:string,uid:string,type_id:int,agent_list:array>>>,autonomous_system:struct,container:struct,hash:struct,network_driver:string,runtime:string,pod_uuid:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string,os:struct,intermediate_ips:array,proxy_endpoint:struct>>>,port:int,type:string,ip:string,location:struct,continent:string>,uid:string,mac:string,type_id:int,container:struct>,hash:struct>,instance_uid:string,interface_uid:string,intermediate_ips:array,namespace_pid:int,svc_name:string,zone:string>>,src_endpoint:struct>>,type_id:int,full_name:string,email_addr:string,ldap_person:struct,name:string,uid:string,credential_uid:string>,port:int,type:string,os:struct,domain:string,ip:string,hostname:string,type_id:int,agent_list:array>,container:struct,network_driver:string>,instance_uid:string,interface_name:string,interface_uid:string,namespace_pid:int,svc_name:string,vlan_uid:string,uid:string,autonomous_system:struct>,database:struct>>,type_id:int,data_classification:struct>>>" }, { "Name": "impact", "Type": "string" }, { "Name": "count", "Type": "int" }, { "Name": "confidence_id", "Type": "int" }, { "Name": "enrichments", "Type": "array>" }, { "Name": "rcode", "Type": "string" }, { "Name": "app_name", "Type": "string" }, { "Name": "rcode_id", "Type": "int" }, { "Name": "query", "Type": "struct" }, { "Name": "proxy_endpoint", "Type": "struct>>,type_id:int,credential_uid:string,risk_score:int>,port:int,type:string,ip:string,hostname:string,uid:string,type_id:int,autonomous_system:struct,container:struct,hash:struct,pod_uuid:string>,instance_uid:string,interface_uid:string,namespace_pid:int,subnet_uid:string,svc_name:string>" }, { "Name": "response_time", "Type": "bigint" }, { "Name": "delay", "Type": "int" }, { "Name": "start_time", "Type": "bigint" }, { "Name": "proxy_http_request", "Type": "struct,category_ids:array,subdomain:string,url_string:string>,user_agent:string,http_headers:array>,referrer:string>" }, { "Name": "version", "Type": "string" }, { "Name": "stratum", "Type": "string" }, { "Name": "stratum_id", "Type": "int" }, { "Name": "dispersion", "Type": "int" }, { "Name": "traffic", "Type": "struct" }, { "Name": "precision", "Type": "int" }, { "Name": "size", "Type": "int" }, { "Name": "actual_permissions", "Type": "int" }, { "Name": "base_address", "Type": "string" }, { "Name": "requested_permissions", "Type": "int" }, { "Name": "end_time_dt", "Type": "string" }, { "Name": "compliance", "Type": "struct,status_id:int>" }, { "Name": "remediation", "Type": "struct" }, { "Name": "kb_article_list", "Type": "array,title:string,uid:string,severity:string,classification:string,created_time:bigint,size:int,created_time_dt:string>>" }, { "Name": "peripheral_device", "Type": "struct" }, { "Name": "time_dt", "Type": "string" }, { "Name": "group", "Type": "struct" }, { "Name": "users", "Type": "array>,uid_alt:string>>" }, { "Name": "confidence_score", "Type": "int" }, { "Name": "state", "Type": "string" }, { "Name": "state_id", "Type": "int" }, { "Name": "evidence", "Type": "string" }, { "Name": "confidence", "Type": "string" }, { "Name": "risk_level", "Type": "string" }, { "Name": "risk_score", "Type": "int" }, { "Name": "impact_score", "Type": "int" }, { "Name": "risk_level_id", "Type": "int" }, { "Name": "finding", "Type": "struct" }, { "Name": "user_result", "Type": "struct>,risk_level:string>" }, { "Name": "codes", "Type": "array" }, { "Name": "command", "Type": "string" }, { "Name": "type", "Type": "string" }, { "Name": "kernel", "Type": "struct" }, { "Name": "http_response", "Type": "struct>>" }, { "Name": "http_request", "Type": "struct,resource_type:string,subdomain:string,url_string:string>,user_agent:string,http_headers:array>>" }, { "Name": "tls", "Type": "struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,cipher:string,sni:string,certificate_chain:array,client_ciphers:array,ja3s_hash:struct>" }, { "Name": "web_resources", "Type": "array,url_string:string,data:string>>" }, { "Name": "http_cookies", "Type": "array>" }, { "Name": "type_id", "Type": "int" }, { "Name": "databucket", "Type": "struct,ldap_person:struct,modified_time:bigint,modified_time_dt:string>,risk_score:int>,size:bigint,type:string,path:string,modifier:struct>,type_id:int>,type_id:int,parent_folder:string,created_time:bigint,hashes:array>,accessed_time_dt:string>,uid:string,groups:array>,type_id:int,data_classification:struct>,modified_time_dt:string,created_time_dt:string>" }, { "Name": "table", "Type": "struct" }, { "Name": "session", "Type": "struct" }, { "Name": "certificate", "Type": "struct>,created_time:bigint,expiration_time:bigint,serial_number:string>" }, { "Name": "is_mfa", "Type": "boolean" }, { "Name": "logon_type_id", "Type": "int" }, { "Name": "auth_protocol_id", "Type": "int" }, { "Name": "logon_type", "Type": "string" }, { "Name": "is_remote", "Type": "boolean" }, { "Name": "is_cleartext", "Type": "boolean" }, { "Name": "auth_protocol", "Type": "string" }, { "Name": "is_renewal", "Type": "boolean" }, { "Name": "lease_dur", "Type": "int" }, { "Name": "relay", "Type": "struct" }, { "Name": "transaction_uid", "Type": "string" }, { "Name": "file_result", "Type": "struct,vendor_name:string>,type_id:int,creator:struct,groups:array>,type_id:int,risk_level:string>,parent_folder:string,confidentiality:string,data_classification:struct,modified_time:bigint>" }, { "Name": "file_diff", "Type": "string" }, { "Name": "create_mask", "Type": "string" }, { "Name": "web_resources_result", "Type": "array,url_string:string>>" }, { "Name": "app", "Type": "struct,url_string:string,vendor_name:string>" }, { "Name": "src_url", "Type": "string" }, { "Name": "priority_id", "Type": "int" }, { "Name": "verdict", "Type": "string" }, { "Name": "desc", "Type": "string" }, { "Name": "verdict_id", "Type": "int" }, { "Name": "priority", "Type": "string" }, { "Name": "finding_info_list", "Type": "array>,technique:struct>>,analytic:struct,created_time:bigint,src_url:string,last_seen_time_dt:string,created_time_dt:string,related_analytics:array>,related_events:array>>>,modified_time_dt:string>>" }, { "Name": "expiration_time_dt", "Type": "string" }, { "Name": "expiration_time", "Type": "bigint" }, { "Name": "comment", "Type": "string" }, { "Name": "entity", "Type": "struct" }, { "Name": "entity_result", "Type": "struct" }, { "Name": "module", "Type": "struct>,type_id:int,risk_level:string>,parent_folder:string,data_classification:struct,xattributes:string>,base_address:string,function_name:string,load_type:string,load_type_id:int,start_address:string>" }, { "Name": "exit_code", "Type": "int" }, { "Name": "injection_type", "Type": "string" }, { "Name": "injection_type_id", "Type": "int" }, { "Name": "request", "Type": "struct" }, { "Name": "response", "Type": "struct" }, { "Name": "driver", "Type": "struct>,hashes:array>,security_descriptor:string,created_time_dt:string>>" }, { "Name": "prev_security_states", "Type": "array" }, { "Name": "security_states", "Type": "array" }, { "Name": "folder", "Type": "struct,hashes:array>,security_descriptor:string,accessed_time_dt:string>" }, { "Name": "url", "Type": "struct" }, { "Name": "tunnel_type_id", "Type": "int" }, { "Name": "tunnel_type", "Type": "string" }, { "Name": "protocol_name", "Type": "string" }, { "Name": "job", "Type": "struct>,created_time:bigint,expiration_time:bigint,serial_number:string>,algorithm:string,algorithm_id:int,developer_uid:string>,type_id:int,parent_folder:string,confidentiality:string,confidentiality_id:int,data_classification:struct,hashes:array>,security_descriptor:string>,desc:string,cmd_line:string,created_time:bigint,last_run_time:bigint,next_run_time:bigint,run_state:string,run_state_id:int>" }, { "Name": "num_trusted_items", "Type": "int" }, { "Name": "command_uid", "Type": "string" }, { "Name": "num_registry_items", "Type": "int" }, { "Name": "num_network_items", "Type": "int" }, { "Name": "schedule_uid", "Type": "string" }, { "Name": "num_resolutions", "Type": "int" }, { "Name": "scan", "Type": "struct" }, { "Name": "num_detections", "Type": "int" }, { "Name": "num_processes", "Type": "int" }, { "Name": "num_files", "Type": "int" }, { "Name": "total", "Type": "int" }, { "Name": "num_folders", "Type": "int" }, { "Name": "dce_rpc", "Type": "struct,command_response:string,opnum:int,rpc_interface:struct>" }, { "Name": "share", "Type": "string" }, { "Name": "client_dialects", "Type": "array" }, { "Name": "open_type", "Type": "string" }, { "Name": "tree_uid", "Type": "string" }, { "Name": "share_type_id", "Type": "int" }, { "Name": "share_type", "Type": "string" }, { "Name": "dialect", "Type": "string" }, { "Name": "cis_benchmark_result", "Type": "struct" }, { "Name": "vulnerabilities", "Type": "array,severity:string,affected_packages:array>,cve:struct,created_time:bigint,cvss:array>,epss:struct,title:string,desc:string,cwe_url:string>,cwe:struct,kb_articles:array,kb_article_list:array,title:string,product:struct,url_string:string,vendor_name:string>,uid:string,severity:string,created_time:bigint,is_superseded:boolean,classification:string>>,related_vulnerabilities:array,vendor_name:string>>" }, { "Name": "service", "Type": "struct" }, { "Name": "data_security", "Type": "struct,desc:string,uid:string>>" }, { "Name": "database", "Type": "struct,modified_time:bigint>" } ] ``` ### Erstellen Sie eine benutzerdefinierte Quelle in Security Lake 1. Navigieren Sie zur Amazon Security Lake-Konsole. 1. Wählen Sie im Navigationsbereich **Benutzerdefinierte Quellen** aus. 1. Wählen Sie **Benutzerdefinierte Quelle erstellen aus**. 1. Geben Sie einen Namen für Ihre benutzerdefinierte Quelle ein und wählen Sie eine entsprechende OCSF-Ereignisklasse aus. **Anmerkung** AppFabric verwendet die Ereignisklassen **Kontoänderung**, **Authentifizierung**, **Benutzerzugriffsverwaltung****, Gruppenverwaltung**, **Webressourcenaktivität** und **Webressourcenzugriffsaktivität**. 1. Geben Sie sowohl für die **AWS-Konto ID** als auch für die **externe** AWS-Konto ID Ihre ID ein. Wählen Sie dann die Option **Erstellen**. 1. Speichern Sie den Amazon S3 S3-Speicherort der benutzerdefinierten Quelle. Sie werden es verwenden, um einen Amazon Data Firehose-Lieferstream einzurichten. ### Erstellen Sie einen Lieferstream in Firehose 1. Navigieren Sie zur Amazon Data Firehose-Konsole. 1. Wählen Sie **Create a Delivery Stream** aus. 1. Wählen Sie als **Quelle** **Direct PUT** aus. 1. Wählen Sie als **Ziel** **S3** aus. 1. Wählen Sie im Abschnitt **Datensätze transformieren und konvertieren** die Option **Konvertierung des Datensatzformats aktivieren** und wählen Sie **Apache Parquet**als Ausgabeformat aus. 1. Wählen Sie für **AWS Glue Tabelle** die AWS Glue Tabelle aus, die Sie im vorherigen Verfahren erstellt haben, und wählen Sie die neueste Version aus. 1. Wählen Sie für **Zieleinstellungen** den Amazon S3 S3-Bucket aus, den Sie mit der benutzerdefinierten Security Lake-Quelle erstellt haben. 1. Wählen Sie für **Dynamische Partitionierung** die Option **Aktiviert**. 1. **Wählen Sie für **Inline-Parsing für JSON die** Option Aktiviert aus.** + Geben Sie als **Schlüsselname ein**. `eventDayValue` + Geben Sie für **JQ Expression ein**. `(.time/1000)|strftime("%Y%m%d")` 1. Geben Sie für das **S3-Bucket-Präfix** den folgenden Wert ein. ``` ext//region=/accountId=/eventDay=!{partitionKeyFromQuery:eventDayValue}/ ``` Ersetzen Sie ** ** und ** durch Ihren benutzerdefinierten Security Lake-Quellnamen AWS-Region und Ihre AWS-Konto ID. 1. Geben Sie für das **Ausgabepräfix für den S3-Bucket-Fehler** den folgenden Wert ein. ``` ext/AppFabric/error/ ``` 1. Wählen Sie für die **Dauer des Wiederholversuchs** **300** aus. 1. Wählen Sie für die **Puffergröße** **128 MiB** aus. 1. Wählen Sie für das **Pufferintervall** **60s** aus. 1. Schließen Sie den Erstellungsprozess für den Firehose-Lieferstream ab. ### Ingestions erstellen AppFabric Um Daten an Amazon Security Lake zu senden, müssen Sie in der AppFabric Konsole eine Aufnahme erstellen, die den Firehose-Lieferstream, den Sie zuvor erstellt haben, als Ausgabespeicherort verwendet. Weitere Informationen zur Konfiguration von AppFabric Ingestions für die Verwendung von Firehose als Ausgabespeicherort finden Sie unter [Erstellen eines](prerequisites.md#create-output-location) Ausgabespeicherorts.